This is the fourth in a continuing series of blog posts describing simple coding rules that help keep bugs out of embedded C programs.
Rule: The volatile keyword shall be used whenever appropriate, including:
- To declare a global variable accessible (by current use or scope) by any interrupt service routine,
- To declare a global variable accessible (by current use or scope) by two or more tasks, and
- To declare a pointer to a memory-mapped I/O peripheral register set (e.g., timer_t volatile * const p_timer ).
Reasoning: Proper use of volatile eliminates a whole class of difficult-to-detect bugs by preventing the compiler from making optimizations that would eliminate requested reads or writes to variables or registers that may be changed at any time by a parallel-running entity.
Anecdotal evidence suggests that programmers unfamiliar with the volatile keyword think their compiler’s optimization feature is more broken than helpful and disable optimization. The authors suspect, based on experience consulting with numerous companies, that the vast majority of embedded systems contain bugs waiting to happen due to a shortage of volatile keywords. These kinds of bugs often exhibit themselves as “glitches” or only after changes are made to a “proven” code base.
Coding Standard Rule #3
Coding Standard Rule #5
These rules are excerpts from the Embedded C Coding Standard book.
Tags: embedded, programming, safety, standards
Michael,The following paper/website has some additional information about bugs surrounding the use of volatile:http://www.cs.utah.edu/~regehr/papers/emsoft08-preprint.pdfhttp://www.cs.utah.edu/~eeide/emsoft08/I’ve recently heard (via a mailing list) that the authors have found several other compilers, beyond those in the paper, with the same issues.One of the takeaways from the paper is a decrease in error rate when volatile access is hidden behind helper function calls.Cheers!Erik Shreve